1030 lines
22 KiB
YAML
1030 lines
22 KiB
YAML
---
|
|
#
|
|
# First run check
|
|
#
|
|
- name: check if this is a new instance
|
|
shell: "echo 'bootstrapped' > /etc/pvc-install.base"
|
|
args:
|
|
creates: /etc/pvc-install.base
|
|
register: newhost_check
|
|
tags: always
|
|
|
|
- name: set newhost fact
|
|
set_fact:
|
|
newhost: yes
|
|
when: newhost_check.changed
|
|
tags: always
|
|
|
|
# Set this_node fact
|
|
- set_fact:
|
|
this_node: "{{ inventory_hostname.split('.')[0] }}"
|
|
tags: always
|
|
|
|
# Set coordinator state fact
|
|
- set_fact:
|
|
is_coordinator: "{% for node in pvc_nodes if node.hostname == this_node %}{{ node.is_coordinator }}{% endfor %}"
|
|
tags: always
|
|
|
|
#
|
|
# Set Debian details
|
|
#
|
|
- name: set Debian details (with ansible_distribution_*)
|
|
set_fact:
|
|
debian_version: "{{ ansible_distribution_major_version }}"
|
|
debian_codename: "{{ ansible_distribution_release }}"
|
|
when: ansible_distribution_release is defined
|
|
tags: always
|
|
|
|
- name: set Debian details (with ansible_lsb)
|
|
set_fact:
|
|
debian_version: "{{ ansible_lsb.major_release }}"
|
|
debian_codename: "{{ ansible_lsb.codename }}"
|
|
when: ansible_lsb.codename is defined
|
|
tags: always
|
|
|
|
#
|
|
# Remove obsolete issue-gen
|
|
#
|
|
- name: remove obsolete issue-gen script from PVC installer
|
|
file:
|
|
dest: /etc/network/if-up.d/issue-gen
|
|
state: absent
|
|
when: newhost is defined and newhost
|
|
tags: always
|
|
|
|
#
|
|
# Install custom fact scripts
|
|
#
|
|
- name: create facts directory
|
|
file:
|
|
dest: "/etc/ansible/facts.d"
|
|
state: directory
|
|
recurse: yes
|
|
tags: base-ansible
|
|
|
|
- name: install custom facts
|
|
template:
|
|
src: "etc/ansible/facts.d/{{ item }}.fact.j2"
|
|
dest: "/etc/ansible/facts.d/{{ item }}.fact"
|
|
mode: 0755
|
|
register: installed_facts
|
|
with_items:
|
|
- host_id
|
|
- host_group
|
|
- dhcp_status
|
|
tags: base-ansible
|
|
|
|
- name: regather facts
|
|
setup:
|
|
when: installed_facts.changed
|
|
tags: base-ansible
|
|
|
|
- debug:
|
|
var: ansible_local.host_group
|
|
verbosity: 1
|
|
tags: always
|
|
|
|
- debug:
|
|
var: ansible_local.host_id
|
|
verbosity: 1
|
|
tags: always
|
|
|
|
- debug:
|
|
var: ansible_local.dhcp_status
|
|
verbosity: 1
|
|
tags: always
|
|
|
|
#
|
|
# Configure APT
|
|
#
|
|
|
|
- name: install apt config files
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
|
|
- { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
|
|
- { src: "etc/apt/sources.list.{{ ansible_machine }}.{{ debian_codename }}.j2", dest: "/etc/apt/sources.list" }
|
|
register: apt_config
|
|
tags: base-apt
|
|
|
|
- name: add key for PVC repo
|
|
apt_key:
|
|
url: "{{ debian_pvc_signing_key_path }}"
|
|
id: "{{ debian_pvc_signing_key_id }}"
|
|
state: present
|
|
register: apt_key
|
|
tags: base-apt
|
|
|
|
#
|
|
# Safe apt upgrades (on first install only)
|
|
#
|
|
|
|
- name: apt update
|
|
apt:
|
|
update-cache: yes
|
|
when: (newhost is defined and newhost) or apt_config.changed or apt_key.changed
|
|
tags: base-apt
|
|
|
|
- name: aptitude safe upgrade with autoremove
|
|
apt:
|
|
update_cache: yes
|
|
autoremove: yes
|
|
upgrade: safe
|
|
when: newhost is defined and newhost
|
|
tags: base-apt
|
|
|
|
- name: install dbus
|
|
apt:
|
|
name:
|
|
- dbus
|
|
state: latest
|
|
when: newhost is defined and newhost
|
|
tags: base-apt
|
|
|
|
- name: clean out apt cache
|
|
file:
|
|
path: "/var/cache/apt/archives"
|
|
state: absent
|
|
when: newhost is defined and newhost
|
|
tags: base-apt
|
|
|
|
#
|
|
# Purge unneeded packages
|
|
#
|
|
|
|
- name: remove unneeded packages
|
|
apt:
|
|
name:
|
|
- exim4
|
|
- exim4-base
|
|
- exim4-config
|
|
- exim4-daemon-light
|
|
- joe
|
|
state: absent
|
|
purge: yes
|
|
autoremove: yes
|
|
tags: base-packages
|
|
|
|
- name: set override debconf selections
|
|
shell: 'echo "{{ item }}" | debconf-set-selections'
|
|
with_items:
|
|
- "wireshark-common wireshark-common/install-setuid boolean true"
|
|
tags: base-packages
|
|
|
|
- name: install common packages (buster)
|
|
apt:
|
|
name:
|
|
- python
|
|
when: debian_codename == 'buster'
|
|
tags: base-packages
|
|
|
|
- name: install common packages (bullseye)
|
|
apt:
|
|
name:
|
|
- python-is-python3
|
|
when: debian_codename == 'bullseye'
|
|
tags: base-packages
|
|
|
|
- name: install common packages (all versions)
|
|
apt:
|
|
name:
|
|
- debconf-utils
|
|
- iptables
|
|
- locales
|
|
- acpid
|
|
- acpi-support-base
|
|
- rsync
|
|
- bash
|
|
- bash-completion
|
|
- net-tools
|
|
- pciutils
|
|
- usbutils
|
|
- smartmontools
|
|
- check-mk-agent
|
|
- dns-root-data
|
|
- bind9-host
|
|
- dnsutils
|
|
- whois
|
|
- postfix
|
|
- ntp
|
|
- openssh-client
|
|
- openssh-server
|
|
- libpam-systemd
|
|
- fail2ban
|
|
- ca-certificates
|
|
- openssl
|
|
- sudo
|
|
- rsyslog
|
|
- logrotate
|
|
- man
|
|
- less
|
|
- vim
|
|
- nano
|
|
- git
|
|
- vlan
|
|
- bridge-utils
|
|
- ifenslave
|
|
- nmap
|
|
- netcat-openbsd
|
|
- htop
|
|
- psmisc
|
|
- dstat
|
|
- iotop
|
|
- lsof
|
|
- jnettop
|
|
- iperf
|
|
- sysstat
|
|
- binutils
|
|
- deborphan
|
|
- needrestart
|
|
- wget
|
|
- curl
|
|
- gawk
|
|
- uuid-runtime
|
|
- mmv
|
|
- pv
|
|
- bc
|
|
- reptyr
|
|
- sharutils
|
|
- tcptraceroute
|
|
- nethogs
|
|
- strace
|
|
- tshark
|
|
- acl
|
|
- bzip2
|
|
- lzop
|
|
- xz-utils
|
|
- haveged
|
|
- cpufrequtils
|
|
- ipmitool
|
|
- grub-efi
|
|
- plymouth
|
|
- plymouth-themes
|
|
- linux-image-amd64
|
|
- linux-headers-amd64
|
|
tags: base-packages
|
|
|
|
- name: install cleanup scripts
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0755
|
|
with_items:
|
|
- { src: "usr/local/sbin/kernel-cleanup.sh.j2", dest: "/usr/local/sbin/kernel-cleanup.sh" }
|
|
- { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
|
|
tags: base-packages
|
|
|
|
#
|
|
# System configuration
|
|
#
|
|
|
|
# networking
|
|
- name: install base interfaces file
|
|
template:
|
|
src: etc/network/interfaces.j2
|
|
dest: /etc/network/interfaces
|
|
tags: base-network
|
|
|
|
- name: install per-interface files
|
|
template:
|
|
src: etc/network/interfaces-perif.j2
|
|
dest: /etc/network/interfaces.d/{{ network.key }}
|
|
with_dict: "{{ networks }}"
|
|
loop_control:
|
|
loop_var: network
|
|
tags: base-network
|
|
|
|
# locale
|
|
- name: install locale config files
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
|
|
- { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
|
|
tags: base-system
|
|
|
|
- name: set timezone for /etc/localtime
|
|
file:
|
|
src: /usr/share/zoneinfo/{{ timezone_location }}
|
|
dest: /etc/localtime
|
|
state: link
|
|
force: yes
|
|
tags: base-system
|
|
|
|
- name: set timezone for /etc/timezone
|
|
copy:
|
|
content: "{{ timezone_location }}"
|
|
dest: /etc/timezone
|
|
tags: base-system
|
|
|
|
- name: generate locales
|
|
command: locale-gen
|
|
tags: base-system
|
|
|
|
# sysctl
|
|
- name: install sysctl tweaks
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
|
|
tags: base-system
|
|
|
|
- name: activate sysctl tweaks
|
|
shell: "sysctl -p {{ item }}"
|
|
with_items:
|
|
- /etc/sysctl.d/pvc.conf
|
|
tags: base-system
|
|
|
|
# cpufreq
|
|
- name: write the cpufrequtils governor
|
|
template:
|
|
src: etc/default/cpufrequtils.j2
|
|
dest: /etc/default/cpufrequtils
|
|
register: cpufrequtils
|
|
tags: base-system
|
|
|
|
- name: activate cpufrequtils governor
|
|
service:
|
|
name: cpufrequtils
|
|
state: restarted
|
|
when: cpufrequtils.changed
|
|
tags: base-system
|
|
|
|
# sudo
|
|
- name: write the sudoers file
|
|
template:
|
|
src: "etc/sudoers.j2"
|
|
dest: "/etc/sudoers"
|
|
mode: 0440
|
|
tags: base-system
|
|
|
|
# dns
|
|
- name: write the hosts config
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: "etc/hosts.j2", dest: "/etc/hosts" }
|
|
tags: base-dns
|
|
|
|
- name: write the resolver configs
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
|
|
- { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
|
|
tags: base-dns
|
|
|
|
# GRUB bootloader
|
|
- name: create PVC grub directory
|
|
file:
|
|
state: directory
|
|
dest: "/usr/share/grub-pvc"
|
|
|
|
- name: install PVC grub style
|
|
copy:
|
|
src: "usr/share/grub-pvc/{{ item }}"
|
|
dest: "/usr/share/grub-pvc/{{ item }}"
|
|
with_items:
|
|
- background.png
|
|
- theme.txt
|
|
|
|
- name: install GRUB configuration
|
|
template:
|
|
src: etc/default/grub.j2
|
|
dest: /etc/default/grub
|
|
notify:
|
|
- update grub
|
|
|
|
# Plymouth theme
|
|
- name: install PVC Plymouth theme archive
|
|
unarchive:
|
|
src: "usr/share/plymouth/themes/pvc.tar"
|
|
dest: "/usr/share/plymouth/themes/"
|
|
creates: "/usr/share/plymouth/themes/pvc"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: install PVC Plymouth background file
|
|
copy:
|
|
src: "usr/share/grub-pvc/background.png"
|
|
dest: "/usr/share/plymouth/themes/pvc/background-tile.png"
|
|
|
|
- name: set PVC Plymouth theme as the default
|
|
command: plymouth-set-default-theme -R pvc
|
|
|
|
# issue prompt
|
|
- name: install PVC /etc/issue file
|
|
template:
|
|
src: etc/issue.j2
|
|
dest: /etc/issue
|
|
|
|
# syslog
|
|
- name: install rsyslog and logrotate configs
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
notify:
|
|
- restart rsyslog
|
|
with_items:
|
|
- { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
|
|
- { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
|
|
tags: base-syslog
|
|
|
|
- name: set journalctl persistence
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0644
|
|
with_items:
|
|
- { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
|
|
tags: base-syslog
|
|
|
|
# cron
|
|
- name: install crontab
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0755
|
|
with_items:
|
|
- { src: "etc/crontab.j2", dest: "/etc/crontab" }
|
|
tags: base-cron
|
|
|
|
# mta
|
|
- name: install postfix generic config
|
|
template:
|
|
src: "etc/postfix/main.cf.j2"
|
|
dest: "/etc/postfix/main.cf"
|
|
notify:
|
|
- restart postfix
|
|
tags: base-mta
|
|
|
|
- name: touch the postfix aliases file
|
|
file:
|
|
dest: /etc/postfix/aliases
|
|
state: touch
|
|
tags: base-mta
|
|
|
|
- name: install local alias maps for various users
|
|
lineinfile:
|
|
dest: "/etc/aliases"
|
|
regexp: "^{{ item }}:"
|
|
line: "{{ item }}: {{ username_email_root }}"
|
|
state: present
|
|
with_items:
|
|
- root
|
|
- postmaster
|
|
- amavis
|
|
- clamav
|
|
notify:
|
|
- newaliases
|
|
tags: base-mta
|
|
|
|
# ntp
|
|
- name: write the NTP config file
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
notify:
|
|
- restart ntp
|
|
with_items:
|
|
- { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
|
|
tags: base-time
|
|
|
|
# ssl
|
|
- name: ensure haveged is running
|
|
service:
|
|
name: haveged
|
|
state: started
|
|
tags: base-ssl
|
|
|
|
- name: generate diffie-hellman parameters
|
|
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
|
|
args:
|
|
creates: /etc/ssl/dhparams.pem
|
|
tags: base-ssl
|
|
|
|
- name: correct permissions on dhparams
|
|
file:
|
|
dest: /etc/ssl/dhparams.pem
|
|
mode: 0440
|
|
tags: base-ssl
|
|
|
|
# ssh
|
|
- name: write the sshd_config files
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
notify:
|
|
- restart ssh
|
|
with_items:
|
|
- { src: 'etc/ssh/ssh_config.j2', dest: '/etc/ssh/ssh_config' }
|
|
- { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
|
|
- { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
|
|
- { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
|
|
tags: base-ssh
|
|
|
|
- name: write sshd pam.d config
|
|
template:
|
|
src: "etc/pam.d/sshd.j2"
|
|
dest: "/etc/pam.d/sshd"
|
|
tags: base-ssh
|
|
|
|
- name: remove unneeded SSH keys (leave only RSA and ED25519)
|
|
file:
|
|
name: "{{ item }}"
|
|
state: "absent"
|
|
with_items:
|
|
- /etc/ssh/ssh_host_dsa_key
|
|
- /etc/ssh/ssh_host_dsa_key.pub
|
|
- /etc/ssh/ssh_host_ecdsa_key
|
|
- /etc/ssh/ssh_host_ecdsa_key.pub
|
|
notify:
|
|
- restart ssh
|
|
tags: base-ssh
|
|
|
|
- name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
|
|
file:
|
|
name: "/etc/ssh/{{ item.name }}"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- { name: 'ssh_host_rsa_key', mode: '600' }
|
|
- { name: 'ssh_host_rsa_key.pub', mode: '644' }
|
|
- { name: 'ssh_host_ed25519_key', mode: '600' }
|
|
- { name: 'ssh_host_ed25519_key.pub', mode: '644' }
|
|
tags: base-ssh
|
|
|
|
# bash
|
|
- name: write the bash.bashrc config file
|
|
template:
|
|
src: "etc/bash.bashrc.j2"
|
|
dest: "/etc/bash.bashrc"
|
|
tags: base-shell
|
|
|
|
# motd
|
|
- name: ensure update-motd and profile.d scripts are present
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0755
|
|
with_items:
|
|
- { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
|
|
- { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
|
|
- { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" }
|
|
tags: base-shell
|
|
|
|
- name: install update-motd crontab
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0644
|
|
with_items:
|
|
- { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
|
|
tags: base-shell
|
|
|
|
- name: ensure /etc/motd is absent
|
|
file:
|
|
dest: "/etc/motd"
|
|
state: absent
|
|
tags: base-shell
|
|
|
|
# fail2ban
|
|
- name: install fail2ban configurations
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0644
|
|
notify: restart fail2ban
|
|
with_items:
|
|
- { src: "etc/fail2ban/action.d/route.conf.j2", dest: "/etc/fail2ban/action.d/route.conf" }
|
|
- { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
|
|
- { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
|
|
- { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
|
|
tags: base-fail2ban
|
|
|
|
# check-mk-agent
|
|
- name: install check_mk agent plugins
|
|
copy:
|
|
src: "usr/lib/check_mk_agent/plugins/{{ item }}"
|
|
dest: "/usr/lib/check_mk_agent/plugins/{{ item }}"
|
|
mode: 0755
|
|
with_items:
|
|
- backup
|
|
- cephfsmounts
|
|
- dpkg
|
|
- entropy
|
|
- freshness
|
|
- ipmi
|
|
- ownership
|
|
tags: base-cmkagent
|
|
|
|
# backups
|
|
- name: create backup directory
|
|
file:
|
|
dest: /srv/backups
|
|
state: directory
|
|
tags: base-backups
|
|
|
|
- name: install daily backup script
|
|
template:
|
|
src: etc/cron.daily/pvc-backup.j2
|
|
dest: /etc/cron.daily/pvc-backup
|
|
mode: 0755
|
|
tags: base-backups
|
|
|
|
- name: install IPMI network interfaces fragment
|
|
template:
|
|
src: etc/network/interfaces.d/ipmi.j2
|
|
dest: /etc/network/interfaces.d/ipmi
|
|
tags: base-ipmi
|
|
|
|
- name: configure IPMI username
|
|
command: "ipmitool user set name {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['username'] }}"
|
|
with_items:
|
|
- "admin"
|
|
- "pvc"
|
|
ignore_errors: yes
|
|
tags: base-ipmi
|
|
|
|
- name: configure IPMI password
|
|
command: "ipmitool user set password {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['password'] }}"
|
|
with_items:
|
|
- "admin"
|
|
- "pvc"
|
|
ignore_errors: yes
|
|
tags: base-ipmi
|
|
|
|
- name: configure IPMI role
|
|
command: "ipmitool user priv {{ ipmi_user_configuration[cluster_hardware][item]['id'] }} {{ ipmi_user_configuration[cluster_hardware][item]['role'] }} {{ ipmi_user_configuration[cluster_hardware]['channel'] }}"
|
|
with_items:
|
|
- "admin"
|
|
- "pvc"
|
|
ignore_errors: yes
|
|
tags: base-ipmi
|
|
|
|
- name: enable IPMI user
|
|
command: "ipmitool user enable {{ ipmi_user_configuration[cluster_hardware][item]['id'] }}"
|
|
with_items:
|
|
- "admin"
|
|
- "pvc"
|
|
ignore_errors: yes
|
|
tags: base-ipmi
|
|
|
|
#
|
|
# Configure users
|
|
#
|
|
|
|
# common
|
|
- name: ensure /var/home exists
|
|
file:
|
|
state: directory
|
|
dest: /var/home
|
|
tags:
|
|
- users
|
|
|
|
# root
|
|
- name: generate Root password hash
|
|
command: "mkpasswd --method=sha512crypt {{ root_password }}"
|
|
no_log: true
|
|
register: mkpasswd
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
- name: set Root password
|
|
user:
|
|
name: root
|
|
password: "{{ mkpasswd.stdout }}"
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
- name: remove Root known_hosts
|
|
file:
|
|
state: absent
|
|
dest: /root/.ssh/known_hosts
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
- name: write vimrc to root homedir
|
|
template:
|
|
src: var/home/user/vimrc.j2
|
|
dest: /root/.vimrc
|
|
mode: 0600
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
- name: create vimdir
|
|
file:
|
|
state: directory
|
|
dest: /root/.vim
|
|
mode: 0700
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
- name: write htoprc to homedir
|
|
template:
|
|
src: var/home/user/config/htop/htoprc.j2
|
|
dest: /root/.htoprc
|
|
mode: 0600
|
|
tags:
|
|
- users
|
|
- user-root
|
|
|
|
# backup
|
|
- name: ensure backup user has shell
|
|
user:
|
|
name: backup
|
|
shell: /bin/sh
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
- name: create backup .ssh directory
|
|
file:
|
|
path: /var/backups/.ssh
|
|
state: directory
|
|
owner: backup
|
|
group: root
|
|
mode: 0700
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
- name: create backup authorized_keys file
|
|
template:
|
|
src: var/backups/ssh/authorized_keys.j2
|
|
dest: /var/backups/.ssh/authorized_keys
|
|
owner: backup
|
|
group: root
|
|
mode: 0640
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
- name: write the sudoers file
|
|
template:
|
|
src: etc/sudoers.d/sudoers-backup.j2
|
|
dest: /etc/sudoers.d/backup
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
- name: install the post-backup timestamp script
|
|
template:
|
|
src: var/backups/timestamp.sh.j2
|
|
dest: /var/backups/timestamp.sh
|
|
mode: 0755
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
- name: touch shares file
|
|
file:
|
|
dest: /var/backups/shares
|
|
state: touch
|
|
owner: backup
|
|
tags:
|
|
- users
|
|
- user-backup
|
|
|
|
# deploy
|
|
- name: ensure user deploy exists
|
|
user:
|
|
name: "{{ deploy_username }}"
|
|
uid: 200
|
|
group: operator
|
|
shell: /bin/bash
|
|
home: "/var/home/{{ deploy_username }}"
|
|
createhome: yes
|
|
move_home: yes
|
|
state: present
|
|
append: yes
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
- name: ensure homedir has right permissions
|
|
file:
|
|
dest: "/var/home/{{ deploy_username }}"
|
|
state: directory
|
|
owner: "{{ deploy_username }}"
|
|
group: operator
|
|
mode: 0700
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
- name: ensure .ssh directory exists
|
|
file:
|
|
dest: "/var/home/{{ deploy_username }}/.ssh"
|
|
state: directory
|
|
owner: "{{ deploy_username }}"
|
|
group: operator
|
|
mode: 0700
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
- name: add authorized keys
|
|
authorized_key:
|
|
user: "{{ deploy_username }}"
|
|
key: "{{ item.1 }}"
|
|
state: present
|
|
with_subelements:
|
|
- "{{ admin_users }}"
|
|
- keys
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
- name: remove authorized keys
|
|
authorized_key:
|
|
user: "{{ deploy_username }}"
|
|
key: "{{ item.1 }}"
|
|
state: absent
|
|
with_subelements:
|
|
- "{{ admin_users }}"
|
|
- removed
|
|
ignore_errors: yes
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
# admin_users
|
|
- name: ensure user exists
|
|
user:
|
|
name: "{{ item.name }}"
|
|
uid: "{{ item.uid }}"
|
|
group: operator
|
|
groups: sudo,adm,wireshark
|
|
shell: /bin/bash
|
|
home: "/var/home/{{ item.name }}"
|
|
createhome: yes
|
|
state: present
|
|
append: yes
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: ensure homedir has right permissions
|
|
file:
|
|
dest: "/var/home/{{ item.name }}"
|
|
state: directory
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: ensure .ssh directory exists
|
|
file:
|
|
dest: "/var/home/{{ item.name }}/.ssh"
|
|
state: directory
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: add authorized keys
|
|
authorized_key:
|
|
user: "{{ item.0.name }}"
|
|
key: "{{ item.1 }}"
|
|
state: present
|
|
with_subelements:
|
|
- "{{ admin_users }}"
|
|
- keys
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: remove authorized keys
|
|
authorized_key:
|
|
user: "{{ item.0.name }}"
|
|
key: "{{ item.1 }}"
|
|
state: absent
|
|
with_subelements:
|
|
- "{{ admin_users }}"
|
|
- removed
|
|
tags:
|
|
- users
|
|
- user-deploy
|
|
|
|
- name: write bashrc to homedir
|
|
template:
|
|
src: var/home/user/bashrc.j2
|
|
dest: "/var/home/{{ item.name }}/.bashrc"
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: write bash_logout to homedir
|
|
template:
|
|
src: var/home/user/bash_logout.j2
|
|
dest: "/var/home/{{ item.name }}/.bash_logout"
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: ensure htop config directory exists
|
|
file:
|
|
dest: "/var/home/{{ item.name }}/.config/htop"
|
|
state: directory
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0755
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: write htoprc to homedir
|
|
template:
|
|
src: var/home/user/config/htop/htoprc.j2
|
|
dest: "/var/home/{{ item.name }}/.config/htop/htoprc"
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0644
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: write profile to homedir
|
|
template:
|
|
src: var/home/user/profile.j2
|
|
dest: "/var/home/{{ item.name }}/.profile"
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: write vimrc to homedir
|
|
template:
|
|
src: var/home/user/vimrc.j2
|
|
dest: "/var/home/{{ item.name }}/.vimrc"
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0600
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
- name: create vimdir
|
|
file:
|
|
state: directory
|
|
dest: /var/home/{{ item.name }}/.vim
|
|
owner: "{{ item.name }}"
|
|
group: operator
|
|
mode: 0700
|
|
with_items: "{{ admin_users }}"
|
|
tags:
|
|
- users
|
|
- user-admin
|
|
|
|
#
|
|
# Verify and enable services
|
|
#
|
|
|
|
- name: verify and enable services
|
|
service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: yes
|
|
with_items:
|
|
- acpid
|
|
- cpufrequtils
|
|
- ntp
|
|
- postfix
|
|
- rsyslog
|
|
- ssh
|
|
tags: base-services
|
|
|
|
- meta: flush_handlers
|